Phished

As phishing improves and spreads, the importance of two-factor authentication grows.

Maybe I’m the last person to know this, but phishing has spread beyond email. And it’s not really pretty.

Here’s the story: A few nights ago, I got a Twitter direct message (DM) from a friend saying that someone was saying nasty things about me, with a link. The link was a shortened (t.co) link, so it was hard to see exactly what it pointed to. I followed the link on my cell phone, and got to a website that certainly looked legit, and I was foolish enough to login. Pwnd. A few minutes later, my Twitter account was spewing tweetspam about the latest pseudo-scientific weight loss fad.

It’s all fairly classic, except for a couple of things:

It happened via Twitter. I haven’t seen this before, but maybe I’m the last to know.

On the small cell phone screen, it was harder to notice that the fake login screen wasn’t right.

The guy who sent me the DM had exactly the same story: he was victim of a phish, didn’t notice because of the smaller cell phone screen, and evidently his account was used to forge the DM that was sent to me. So phishes are being chained.

While we’re used to distrusting messages from companies, we aren’t used to distrusting messages from friends.

Yeah, I was being a bit clueless. And I ignored (though I noticed) the odd, atypical phrasing of the original DM from my “friend.” Changing technology doesn’t make the bad guys learn grammar. But still, wishing I had acted on my instincts is pointless. As a security researcher told me a couple of years ago, highly targeted phishing attacks are going to look so real that you really won’t be able to tell whether or not a message is legit.

There’s a real moral to the story. What if Twitter, like Google and Facebook (and unlike Apple or Amazon) supported two-factor authentication? We’d have a much different picture. An Internet criminal might be able to use a phish to get my password, but he still wouldn’t have the second factor, the code sent to my phone to complete the login. And he wouldn’t be able to get that code; that’s a transaction entirely between me and the provider, a transaction that can’t be spoofed by a forged site.

It’s inexcusable not to support two-factor authentication. If you don’t have the technical chops to implement it yourself, use an authentication provider, like Google. Never use an authentication provider that doesn’t support two-factor authentication.

This goes double (if not triple or quadruple) if you’re handling financial transactions. Twitter is off the hook here, but Apple, Amazon, PayPal, this means you.

“While we’re used to distrusting messages from companies, we aren’t used to distrusting messages from friends.” I still remember the macroviruses of the late-90s that ran through people’s Outlook contacts and propagated by sending email to them.

Kradak

While you’re at it regarding two-factor authentication, why doesn’t my bank use two account numbers (one for deposits and one for withdrawls)? Or the Social Security Administraiton – one number to identify me, but a second factor to enable me to get a job or receive money.

Charles

Why would two factor authentication save you in this case (at least for the common case of using the phone as a the second factor)? Since you linked to it, you might be interested in this passage:

“Any authentication process which utilizes an insecure out-of-band method such as email data link or phone voice or data link or fails to provide mutual-authentication, and is inherently vulnerable to man-in-the-middle (MITM) attacks. In a man-in-the-middle attack, a fraudster is actually interacting with the legitimate website, and the victim is interacting with the fraudster’s counterfeit website. A victim who is lured to a fraudulent website then triggers the attack by entering the normal login credentials on the counterfeit website. The counterfeit website then transmits these stolen credentials to the legitimate website using scripts or other protocols and the legitimate website then initiates a telephone call to the victim. Believing the website to be legitimate, the victim pushes the appropriate buttons on the phone, not realizing that doing so permits the fraudster to complete entry into the victim’s account for complete access.”

definitely not a new thing on twitter, but maybe only arriving from certain spam…. really tho — what was so convincing about the login page that you thought you’d have to log in to see something…(on twitter)….. you really shouldn’t have to put your twitter user/pass into anything except logging into twitter…all authentication/oauth requests should get passed through that etc….

The tools I use to fight fishing are either cumbersome or just not available on my phone: curl(1) for navigating redirects, browser UI to examine certs, view source…

floatingbones

These are pretty easy to spot on a laptop. I’d never thought of the difficulty of visualizing the phishing attacks on a smaller phone display.

One thing that might help is to use OpenDNS to flag phishing sites. This will not catch all of the phishing sites, but OpenDNS is constantly updating their list of phishing sites. Do you config to use their DNS?

Dave Hein

The problem with two factor authentication is: if you lose your phone (it fails, you drop it, lose it, drown it, or it gets stolen) then you can’t get into any of your accounts.

Any scheme to recover access can also be used by hackers to social engineer access to your account.